AirDefense: Wireless Security for Enterprises - Page 2

This IDS relies on more than just signature-based detection. It looks at a variety of factors including standard policy setup, anomalies in user activity and activity that breaks 802.11 protocols. This means the IDS is adept at detecting potential attacks before they are even known. Now, no IDS is perfect but the odds swing in your favor when you go beyond a signature-based IDS that is solely on the lookout for known attacks.

The sensors can also be helpful when trying to keep track of wireless inventory and what's being used where. This can help to differentiate regular users from rogue visitors, as well as identify when employees are trying to circumvent proper wireless policy. Additionally, this can be used to create performance baselines on a larger scale and to cross-reference such details.

Comparing something as simple as MAC addresses allows you to identify spoofed addresses, high-use users and high-traffic areas. For example, let's say a particular area rarely uses their AP but another location is near overload. You'd then only need to move the AP to a new location to ensure better load balancing. Such practical administration over network resources is possible because all of the sensors' collected information is presented in a centralized dashboard allowing for better analysis.

When looking at this product, I thought that the amount of data would be overwhelming. Fortunately, AirDefense's reporting software makes it easy to interpret the data, create necessary reports and keep the information that you critically need close at hand. As mentioned earlier, it can act as inventory control, graphically displaying connections on a visual map and graphing the various behavior baselines of devices. And not just for one location, but for all locations. This also allows me to monitor which environments are not following policy (say, using encryption for certain activities) and enforce it.

What about incidents? You can set up various policies based on what you want to have done in the event of certain activities. This can be as simple as recording the incident to paging an administrator or being "pro-active" in response.

Now, I generally shy away from "proactive" products because the potential for mistakes is exacerbated by automated nature of these devices. But with wireless, a rogue user has to physically enter the network area. Since proactive measures can include shutting down APs (thus knocking intruders off the network) or sending multiple disconnects (a type of DoS if you will), the likelihood of a false positive, while still there, has less of a harmful effect against "innocent bystanders". For them, it becomes more of an annoyance than anything else. This is, of course, dependent on how the rules governing the device's response to such situations were set up.

You may still think this a bit of overkill, but consider these results from a recent survey (PricewaterhouseCoopers, November 2003) on network attacks:

46% of companies who have wireless have been victim of a security breach.

83% of these reported a monetary loss.

2% said the attacks came from wireless source (that they know of).

That last point is important. Given that wireless use is increasing and attackers are getting easier-to-use, yet more powerful tools that 2% seems awfully low. "Hacker" sites, for instance, are known to have published list upon list of open and unsecured APs.

Companies must realize that it's not just a matter of setting up a wireless network that's important. A close examination of the security implications can mean the difference between a solid implementation and a leaky infrastructure. Are you willing to take a chance that your competitors won't use your wireless network as a way in and help themselves to your $1 billion revolutionary widget design? Heck no! (There is obviously a lot more to your security than a simple firewall but that's another article entirely).

Serious protection does come at a cost, starting at about $10,000 in AirDefense's case. It's well worth it if you want to protect the bottom line, ensure patient and customer confidentiality or you want to make certain that your doors (and Windows) aren't open for attackers or your competitors to sneak in.